Date: Thu, 29 Nov 2012 13:12:18 -0800 From: Devin Teske <devin.teske@fisglobal.com> To: "Steve O'Hara-Smith" <steve@sohara.org> Cc: Eugen Konkov <kes-kes@yandex.ru>, Devin Teske <dteske@freebsd.org>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-ID: <FB3AE5A0-117A-4C42-A159-4677B982E176@fisglobal.com> In-Reply-To: <20121129193835.8896ea0d.steve@sohara.org> References: <8310543741.20121129054846@yandex.ru> <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> <20121129193835.8896ea0d.steve@sohara.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 29, 2012, at 11:38 AM, Steve O'Hara-Smith wrote: > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 So create a wrapper and only allow access to the wrapper. Alternatively, you could research FoxT (previously known as BoKS), which al= lows you to not only lock down which commands can be executed by which argu= ments are passable. That being said, I think a wrapper is the simpler approach. It might look s= omething like this: =3D=3D=3D FILE: apache_ipfw.sh =3D=3D=3D #!/bin/sh # args sent direct to ipfw, so we must check args case "$1" in table) : fall thru ;; *) exit 1 esac sudo ipfw "$@" =3D=3D=3D END FILE =3D=3D=3D --=20 Devin > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 28, 2012 11:37:49 PM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex= .ru>, FreeBSD Questions <freebsd-questions@freebsd.org> >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith <steve@sohara.org> >=20 >=20 >=20 > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 29, 2012 11:33:28 AM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex= .ru>, FreeBSD Questions <freebsd-questions@freebsd.org> >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith <steve@sohara.org> >=20 > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 28, 2012 11:37:49 PM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex= .ru>, FreeBSD Questions <freebsd-questions@freebsd.org> >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith <steve@sohara.org> >=20 >=20 >=20 >=20 >=20 > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 29, 2012 11:36:09 AM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex= .ru>, FreeBSD Questions <freebsd-questions@freebsd.org> >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith <steve@sohara.org> >=20 > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 28, 2012 11:37:49 PM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex= .ru>, FreeBSD Questions <freebsd-questions@freebsd.org> >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith <steve@sohara.org> >=20 >=20 >=20 > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 29, 2012 11:33:28 AM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex= .ru>, FreeBSD Questions <freebsd-questions@freebsd.org> >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith <steve@sohara.org> >=20 > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 28, 2012 11:37:49 PM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex= .ru>, FreeBSD Questions <freebsd-questions@freebsd.org> >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith <steve@sohara.org> >=20 >=20 >=20 >=20 >=20 >=20 _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FB3AE5A0-117A-4C42-A159-4677B982E176>